Installing a basic puppet setup in debian

This tutorial guides you through installing a simplePuppet 3.6 environment to manage a few servers with a puppetmaster and puppet-agent and a basic site.pp with some modules.

The puppetmaster

The first step is to install the puppetmaster on a debian machine. This machine should be reachable with the puppet hostname.

$ wget https://apt.puppetlabs.com/puppetlabs-release-wheezy.deb
$ dpkg -i puppetlabs-release-wheezy.deb
$ apt-get update && apt-get install puppetmaster
$ touch /etc/puppet/manifests/site.pp

Now you have a basic puppetmaster install. If you run any puppet command it will complain about deprecated configuration options. To fix this edit /etc/puppet/puppet.conf

# /etc/puppet/puppet.conf
[main]
logdir=/var/log/puppet
vardir=/var/lib/puppet
ssldir=/var/lib/puppet/ssl
rundir=/var/run/puppet
factpath=$vardir/lib/facter
#templatedir=$confdir/templates # This line should be commented

[master]
# These are needed when the puppetmaster is run by passenger
# and can safely be removed if webrick is used.
ssl_client_header = SSL_CLIENT_S_DN
ssl_client_verify_header = SSL_CLIENT_VERIFY

Installing the puppet agent

This step is very simple if you're running a recent debian version. Just install the package

$ apt-get install puppet

Client signing and Autosigning

The security model for puppet is SSL host and clients certificates. By default the client has to request his certificate with:

$ puppet agent --waitforcert 60 --test

and the server has to accept it with:

$ puppet cert list
$ puppet cert sign the-fqdn-from-above-command

And then back on the agent:

# Press ctrl-c to end the request process
$ puppet agent --test

If you have a small setup on your local network and don't care too much about security, you can enable autosigning on the puppetmaster. If autosigning is enabled you only have to run puppet agent --test to connect the agent to the master. This also makes sure that everyone that can connect to your network can read all your puppet manifests.

To enable autosigning create the file /etc/puppet/autosign.conf and fill it with a single asterisk.

Puppet manifests

Now you got your new and shiny Puppet setup. To make it useful you need to create a Puppet manifest that describes your servers. Your main manifest is the file /etc/puppet/manifests/site.pp and it completely empty. For the complete manual to create these manifests, visit the Puppet documentation site.

This is an example site.pp file:

node basenode {
user { "martijn":
ensure => "present",
managehome => true,
}

package { 'htop': ensure => installed }
}

node 'server1.company.local' inherits basenode {
}

node 'server2.company.local' inherits basenode {
package { 'apache2': ensure => installed }
package { 'mysql-server': ensure => installed }
}

This configuration file defines the basenode (this can be any name). This node is not a real server but only a node with the basic settings for other servers and is referenced at the bottom by inherits basenode.

In the basenode the user martijn is created on all servers and the package htop is installed. the node server2.company.local doesn't only inherit the settings from basenode but also installs the package apache2 and mysql-server

This is a very basic example that just installs some packages and defines some users. Puppet also has a large library with predefined classes for specific programs or services. Lets add NTP and vim config to the servers.

First you need to install the modules on the puppetmaster. used plugins are automaticaly copied to the puppet agents when needed.

$ puppet module install puppetlabs-ntp --version 3.0.3
$ puppet module install saz-vim

And the updated site.pp:

node basenode {
include '::ntp'
class { 'vim':
opt_syntax => true,
opt_misc => ['expandtab', 'shiftwidth=4'],
}
class { '::ntp':
servers => [ 'nl.pool.ntp.org' ],
}

user { "martijn":
ensure => "present",
managehome => true,
}

package { 'htop': ensure => installed }
}

node 'server1.company.local' inherits basenode {
}

node 'server2.company.local' inherits basenode {
package { 'apache2': ensure => installed }
package { 'mysql-server': ensure => installed }
}

This will install the ntp client on your servers and configures it to use nl.pool.ntp.org as the ntp server. It also installs vim and creates a default server-wide .vimrc

There are a lot more things that can be done with manifests. For more information about manifests visit the Puppet documentation website.

Follow part 2 of this tutorial to learn how to use templates and move code to seperate modules.